First vulnerability in Vista's Windows Mail discovered

Heise Security, 26th March 2007

Hannover (Germany) - The successor to Outlook Express links seamlessly with its predecessor's dubious reputation in matters of security. Just a few months after its official release, the first significant security problem has been uncovered: under certain circumstances, simply clicking on a link in an email can cause a program to be launched on the local computer.

A hacker going by the pseudonym Kingcope has reported on a security mailing list that this can be achieved by simply embedding a link to a local program in an email. If a directory with the same name as the executable program exists, the program will be executed by Windows Mail when the user clicks on the link without requiring any confirmation. A brief test at heise Security confirmed this. After creating a folder called calc in C:\Windows\System32\, clicking on a link to c:/windows/system32/calc? launched the calculator without any further user interaction.

Under certain circumstances a click on a link can execute a program in Windows Mail

Up until to now, there has ben no real attack scenario to exploit this, and so the concrete danger is fairly low. Kingcope has listed two Windows programs, winrm and migwiz, for which the required directory already exists. But he admits that it was not possible to pass parameters to the programs, which significantly reduces the potential for targeted activities. But the simple fact that under certain circumstances clicking on a straightforward URL in an email can be sufficient to launch a local program without requiring confirmation from the user leaves an uncomfortable feeling. Many dangerous vulnerabilities in Outlook Express and Internet Explorer initially appeared to be similarly innocuous. And Microsoft will now be judged against the grandiose promises it made with regard to the security of Vista.

Copyright note: This story was provided exclusively to TG Daily by Heise Security. You can visit Heise Security directly for more stories on security topics.